search

laravel / pulse

Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Laravel application.
https://pulse.laravel.com
MIT License
1.43k stars 164 forks source link

Use pulse in production with Tymon JWT auth #241

Closed Tob0t closed 9 months ago

Tob0t commented 9 months ago

Pulse Version

1.0@beta

Laravel Version

10.37.3

PHP Version

8.2.12

Livewire Version

3.3.0

Database Driver & Version

No response

Description

Working with a JWT auth worked perfectly with telescope by using the custom middleware described in https://github.com/laravel/telescope/issues/592 However, when applying the same for pulse I always get a 419 response with the response that the page has expired. I guess it has smth todo with the XSRF token, but I cannot find the location where to inject it. I did the same setup like for telescope but could not find a working solution. Any ideas?

Steps To Reproduce

1) Create custom middleware:

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Tymon\JWTAuth\Facades\JWTAuth;

class AppendTokenAsCookie
{
    /**
     * Handle the incoming request.
     *
     * @return \Illuminate\Http\Response
     */
    public function handle(Request $request, Closure $next)
    {
        $response = $next($request);

        if ($request->route()->getName() !== 'telescope' && $request->route()->getName() !== 'pulse') {
            return $response;
        }

        if ($request->cookie('token')) {
            return $response;
        }

        if (empty($token = $request->input('token'))) {
            return $response;
        }

        $payload = JWTAuth::setToken($token)->getPayload();
        $exp = $payload->get('exp');
        $minutes = floor(($exp - time()) / 60);

        $response = $next($request);
        $response->withCookie(cookie('token', $token, $minutes));

        return $response;
    }
}

2) adapt config pulse.php

...
'middleware' => [
        AppendTokenAsCookie::class,
        'auth:api',
        Authorize::class,
    ],

3) Visit http://localhost/pulse?token={jwt-token}

4) Error 419: Screenshot 2023-12-17 at 19 20 18

Instructions taken from https://github.com/laravel/telescope/issues/592

jessarcher commented 9 months ago

I think the reason this is occurring here and not with Telescope is because Pulse uses Livewire.

It's not clear from the details you've provided whether the 419 is coming from Laravel, Livewire, or somewhere else though. Can you share the response body?

It's also worth noting that the middleware that you configure with Pulse get set as "persistent middleware" with Livewire, meaning that if the middleware is present on the initial non-Livewire request to /pulse then it will also be applied on any subsequent Livewire update requests to /livewire/update.

Tob0t commented 9 months ago

Thanks @jessarcher that is most likely the issue.

Response body is the following img:

Screenshot 2023-12-19 at 18 05 07

or the HTML (removed the style prop): 

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Page Expired</title>
    </head>
    <body class="antialiased">
        <div class="relative flex items-top justify-center min-h-screen bg-gray-100 dark:bg-gray-900 sm:items-center sm:pt-0">
            <div class="max-w-xl mx-auto sm:px-6 lg:px-8">
                <div class="flex items-center pt-8 sm:justify-start sm:pt-0">
                    <div class="px-4 text-lg text-gray-500 border-r border-gray-400 tracking-wider">419                    </div>
                    <div class="ml-4 text-lg text-gray-500 uppercase tracking-wider">Page Expired                    </div>
                </div>
            </div>
        </div>
    </body>
</html>

So its coming from Livewire true, since I never worked with Livewire, is there a way to tweak the authentication check of it to also accept cookie authorization?

Regarding the "persistent middleware": thanks for the info, however this middleware is just forwarding the request, when there is already a token-cookie appended

jessarcher commented 9 months ago

I believe it's because you don't have the web middleware which creates the session needed for Livewire to validate update requests.

See https://github.com/livewire/livewire/discussions/4959 for some other potential solutions if adding the web middleware doesn't solve it.

jessarcher commented 9 months ago

Hey there,

We're closing this issue because it's inactive, already solved, old or not relevant anymore. Feel free to open up a new issue if you're still experiencing this problem.